But, could the rules be applied to data being received from a tunnel? With mobile IPSec clients (ignoring PPTP as an option), there is no way to control data received. You can only have filters on what goes into a tunnel and not what is coming out. If this could be overcome, that'd be great and I could move more people from PPTP to IPSec.
- Jason -----Original Message----- From: Peter Curran [mailto:[EMAIL PROTECTED] Sent: Thursday, March 30, 2006 8:53 AM To: [email protected] Subject: Re: [pfSense Support] Static routes over IPSec This problem is caused because IPsec tunnel mode creates 'implicit' tunnels. These are not visible to the rest of the IP layer, because the decision to tunnel the traffic is made after the packet has been forwarded. One easy solution is to create an 'explicit' tunnel, using something like GRE, and then secure this using IPsec transport mode. I did have this working fine on a hacked version of m0n0wall a year or so ago, and I daresay that it could be implemented on pfsense. To be honest, I thought it was (using gif tunnels) as I am sure it appeared in an earlier release. >From a usage viewpoint you would just see a new optional interface that you could route stuff to (also apply firewall and traffic shaper rules). The basic characteristics are the same (GRE has higher overheads, so the MTU would be reduced a little. IP-in-IP using GIF is the same overhead as IPsec tunnel mode). /Peter --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
